2.75 Million Dollar HIPAA Agreement Achieved with UMMC

Immediately after the 2.7 million HIPAA break agreement with OHSU comes news of one more multi-million-dollar agreement with one more university.

The Division of Health and Human Services’ OCR declared four days ago that University of Mississippi Medical Center (UMMC) has consented to settle down suspected HIPAA breaches and will reimburse a monetary fine of $2.75 million. UMMC has also consented to implement a corrective action plan (CAP) to bring secrecy and safety norms up to the degree demanded by HIPAA.

UMMC Probed After Thievery of Unencrypted Laptop

The agreement originates from a break of patients’ protected health information (PHI) in 2013. A laptop delivered to Medical Intensive Care Unit of UMMC was found to be lost. The laptop had the Protected Health Information of 500 sick persons. The files weren’t encrypted, even though the laptop was password locked. It was thought that a guest had thieved the laptop who had asked regarding using one of Medical Intensive Care Unit’s laptops.

OCR carried out an inquiry into the break and found the revelation of 500 patients PHI was among the least bothering problems. Possibly much more severe was the failure of UMMC to sufficiently save its wireless system from outer entry. Examiners found 67,000 files were saved in a working directory, which contained 328 files having ePHI. A general username as well as password had not been altered, which might have been abused to access the data of 10,000 sick persons which were saved on one of UMMC’s system drives.

Break Inquiry Exposed Many HIPAA Breaches

Many breaches of HIPAA Laws were also found. UMMC had failed to apply its procedures and policies to contain, detect, prevent, and rectify security breaches as per the resolution pact.

A complete risk evaluation to find possible dangers to the integrity, secrecy, as well as availability of ePHI, had also not been suitably carried out. Dangers to ePHi had not been decreased to a rational and suitable level, breaching the HIPAA Safety Law 45 C.F.R. §164.308(a)(1)(i).

Adequate physical restrictions had not been applied to avoid ePHI from being accessed by illegal people – A violation of 45 C.F.R. §164.310(c)).

Exclusive usernames/identifiers had not been designated, which avoided UMMC from being capable to trail which people had retrieved ePHI – A breach of 45 C.F.R. § 164.312 (a)(2)(i).

UMMC had also breached the Break Announcement Law by failing to notify sick persons whose ePHI was rationally thought to have been acquired, accessed, used, or revealed as a consequence of the data break – A breach of 45 C.F.R. §164.404. UMMC had just displayed a break notification on its website and released a notice to the mass media.

A broad Corrective Action Plan has been implemented to make sure that all possible HIPAA breaches are tackled and secrecy and safety are brought up to the degree needed by HIPAA. UMMC is also needed to release usual statements to OCR. The CAP will remain for a duration of three years.